Proofpoint: Security, Compliance and the Cloud

Proofpoint is hiring! If you're searching for the next defining step in your career, come and see us at the Tech Career Expo in San Francisco.

The Tech Career Expo and Developer Jam is taking place today and tomorrow June 28 and 29 at the Moscone Center in San Francisco. The expo is being held concurrently with Google’s sold out developer conference, Google I/O, which is also taking place in the Moscone Center. As an added perk, keynotes and key sessions from Google I/O will be live streamed into the developer theater for Tech Career Expo attendees to view.

The most exciting part of the event (other than talking with awesome Proofpoint recruiters!) is that anyone can attend the Tech Career Expo free of charge.

Don’t miss out on the opportunity to network with Proofpoint professionals who are hiring in all areas of technology. We're seeking the best and the brightest for positions in engineering, operations, big data (Hadoop, Mapreduce, Hive, etc.), quality assurance, software R&D,  marketing and sales.

If you will be attending the Expo or Google I/O, make a point to stop by Proofpoint's Tech Career Expo booth (#512) to learn about all of our incredible employment opportunities.

For those who cannot make the event but are interested in a career with Proofpoint, check out the Proofpoint careers page for information on available positions.

At the risk of posting a blog entry that's nothing but links to other resources and commentary, several friends of the Proofpoint blog pointed out this article—about San Francisco area security startup eCert and the introduction of their "eCert Email Domain eCertification Service"—as something I might want to comment on:

Wall Street Journal "Digits" Blog: Startup Hopes to Stop Phishing with Certified Email

In that article, Ben Worthen describes eCert's efforts to stop phishing and targeted attacks with a service that, "confirms that an email is from the company it says it's from." The timing for this article coincides with eCert's introduction of a new service (see press release "eCert Partners With Google and Yahoo! to Protect Businesses and Consumers From Email Fraud").

Regular email security blog readers will no doubt say that this sounds like yet another email authentication idea and wonder if this is some sort of new approach or if it builds on other existing email authentication schemes such as SPF and DKIM. Certainly, there's a great need to help reduce the impact of phishing activites (especially as targeted phishing - aka spear phishing - attacks have become so prevalent).

(Here come more links: You can find my recent blog postings related to phishing here - http://blog.proofpoint.com/phishing/ - and, particularly relevant is the post Spear Phishing Experiment Shows Spoofed Social Media Email Bypasses Most Email Filters.)

And, indeed, it looks like the service that eCert has announced is aimed at helping financial institutions and other heavily phished organizations use existing email authentication mechanisms to best effect, even though that's not entirely obvious from their press release. From their press release:

"The eCert Email Domain eCertification Service is a centralized service to register, manage and monitor domains that send email. Three key features of eCert’s groundbreaking new service include: monitoring email traffic and threat activity, protecting member company emails against major forms of phishing, and ‘eCertification’ that enables advanced security, improved delivery and other important benefits, including delivery of critical data on email traffic activity and phishing attack alerts."

While one could be cynical about the commercialization of SPF/DKIM technologies, in practice, it can be very difficult for a large organization to properly configure SPF and/or DKIM, in part due to the large number of third parties who may, in fact, send legitimate email on behalf of that organization. So it makes sense for a company like eCert to provide an end-to-end service that takes care of all the minutia involved in email authentication.

And this brings me to what may be the most useful link in this post... In cooperation with BITS, eCert published a really good whitepaper on email authentication deployment that they make freely available. I haven't read this document in great detail, but it provides a really good overview of (1) what email authentication is and what it does, (2) what email authentication does not do, (3) basic info about how SPF and DKIM operate, (4) pre-deployment considerations for large organizations, and even a sample project plan.

Heck, they don't even require registration to download this paper. You can snag a copy at this link:

BITS/eCert whitepaper: Email Sender Authentication Deployment

While I was researching this post, I also ran across some pretty amusing commentary from the unknown blogger at "What The Hell? Security", which is a very interesting and opinionated security blog.

Two relevant posts there. First, a post inspired by reading eCert's announcement, "fishing for red herring phishing solutions," and second, a thought-provoking post about "the 9 laws of phishing."

The "9 laws" is especially worth reading, I think, and probably deserves its own post here in the Email Security Blog at a later time. But right now, I have to get back to not clicking on bad links.

Posted by Chris Moores, Professional Services

Salesforce has often been cited as the pioneer for the Software-as-a-Service (SaaS) industry. We use Salesforce ourselves, and have been quite happy with this decision. However, I recently requested a copy of their Service Level Agreement (SLA) for service availability and was taken aback with the reaction I got from their customer support department. The responses I got ranged from “What’s an SLA?” to “Do you mean you want to know our support ticket resolution time?” to “In the 5 years I have been working here, I’ve never had anyone ask that question.”

It doesn’t seem like Salesforce has any SLAs, which I find very odd. This prompted me to run some online searches, and the results surprised me a bit – I didn’t realize that SLAs are far from prevalent among SaaS providers. I think this could be one reason why some IT departments are still quite skeptical about using SaaS applications.

As Craig had pointed out in a previous post, we constantly hear from customers that one of the things they love about outsourcing is that they no longer have to stress about uptime and performance. At Fortiva/Proofpoint, we not only take over the stress of managing all infrastructure and archiving application issues that may arise, we also strive for unsurpassed customer service and industry leading SLAs that few providers (both outsourced or on-premise) can match.